Friday, February 17, 2023: Illinois Supreme Court Ruled Claims Under State’s Biometric Information Privacy Act Accrue with Each Scan or Transmission
Ruling Could Result in Massive Damage Awards Against Employers
Court Recently Also Clarified Employees Have 5 Years to Bring Claims
Creating the potential for huge damage awards against employers, the Illinois Supreme Court held that a claim accrues under the Illinois Biometric Information Privacy Act (IBIPA) “with every scan or transmission of biometric identifiers or biometric information without prior informed consent.” The court majority in the 4-3 ruling found that the “plain language” of the statute required this conclusion. In contrast, the dissent reached the opposite conclusion. The case is Cothron v. White Castle System Inc. (Dkt. No. 128004). According to Reuters, nearly 2,000 lawsuits alleging violations of the IBIPA have been filed since 2017, yielding a series of massive settlements and judgments.
Employer Claimed Damages Could Exceed $17 Billion For This Case Alone
The IBIPA requires private entities to obtain permission before collecting fingerprints, retinal scans, and other biometric information. Under the statute, a prevailing party may recover against a private entity for each violation:
- liquidated damages of $1,000 or actual damages, whichever is greater, for negligent violations;
- liquidated damages of $5,000 or actual damages, whichever is greater, for intentional or reckless violations;
- reasonable attorneys’ fees and costs, including expert witness fees and other litigation expenses; and
- other relief, including an injunction, as the court may deem appropriate.
The plaintiff in the case before the Illinois Supreme Court raising the “each violation” issue, first brought her claims to the United States District Court for the Northern District of Illinois seeking class-action status on behalf of as many as 9,500 current and former White Castle employees. She claimed that the employer violated the IBIPA when it implemented a system that required its employees to scan their fingerprints to access their pay stubs and computers. A third-party vendor then verified each scan and authorized the employee’s access using fingerprint-based sign-ins to computers or timekeeping machines. Both the majority and the dissent noted White Castle estimated that, if successful, damages for the plaintiff’s class-wide relief claims could exceed $17 billion.
Federal Appellate Court Sent Inquiry to State Supreme Court
Based on its assessment that a new IBIPA claim accrued each time she scanned her fingerprints and White Castle sent her biometric data to its third-party authenticator, the federal district court rejected the employer’s claims that the plaintiff’s lawsuit was untimely. Nevertheless, the federal court later certified its order for immediate interlocutory appeal to the Seventh Circuit Court of Appeals because it involved a controlling question of law on which there is substantial ground for disagreement. In turn, the Seventh Circuit found that “the novelty and uncertainty of the claim-accrual question” warranted certification of the question to the Illinois Supreme Court.
The statute provides that “[n]o private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information unless it first” obtains informed consent from the individual or the individual’s legally authorized representative. In a 14-and-½ page opinion, the Illinois Supreme Court majority agreed with the plaintiff that the plain language of the statute supported her interpretation. Citing Webster’s Third New International Dictionary (1993), the majority wrote that “collect” means “to receive, gather, or exact from a number of persons or other sources” and “capture” means “to take, seize, or catch.” “We disagree with the defendant that these are things that can happen only once,” Justice Elizabeth M. Rochford wrote for the majority.
Dissent Pointed Out Unreasonable Burden on Employers
It is unquestionable, that “a private entity may obtain any one type of a person’s biometric information only once, at least until that biometric identifier or information is destroyed,” Justice David K. Overstreet wrote for the dissent. “With subsequent authentication scans, the private entity is not obtaining anything it does not already have,” Justice Overstreet added in his 9-page dissent. Likewise, such information can be disclosed to a third party only once, the Justice pointed out, because “the person loses control of her biometric identifier or information only once.”
Moreover, “[t]he majority’s interpretation renders compliance with the Act especially burdensome for employers,” Justice Overstreet stated. This construction of IBIPA “could easily lead to annihilative liability for businesses,” he emphasized.
“Imposing punitive, crippling liability on businesses could not have been a goal of the Act, nor did the legislature intend to impose damages wildly exceeding any remotely reasonable estimate of harm,” Justice Overstreet reasoned.
Five-Year Statute of Limitations
Employers should also note that the Illinois Supreme Court recently clarified that a five-year statute of limitations applies to IBIPA claims. Earlier this month, the court ruled, 5-0, that because the IBIPA does not specify a statute of limitations for lawsuits, a five-year “catchall” period in the state code of civil procedure applied. Two of the state’s supreme court justices did not take part in that decision in Tims v. Black Horse Carriers, Inc. (Dkt. No. 127801).